Contents 


Top 300 Azure Sentinel Used Cases KOL (Kusto Query Language) queries .….........sssssssssssssrssrresrrsrrrereeeee 11 
1. Failed login attempts: sssrin reirei renare iaee ea ra iaa i E AEAEE EEE EEEE Ra 11 
2. SUCCESSFUL login attempts ......c.ccccccccsessssecececesessaececececeeesaeaeeeceeesesaeseeeeeceseseeaeeeseseseseeaeseeeesseseeaeaeeeesensees 11 
3: Brüte-force atta KS? oeegeteëekegi gue eege a ted vaees tebe vous oc a ia aa iai 11 
Eelere 11 
5: User ACCOUNT CHAN BEST geess ged segues cha Eed Eeer 11 
6: Privileged ACCOUNT ET 11 
7 SUSPICIOUS process EXECUTION! seee a aa r E ar aE E R E oea a ae R TREE tease 11 
E Ee KE 11 
9. Network traffic ANOMAIICS: Nu 11 
10; Malware detection: EE 12 
TN DDOS- atta CKS: p sspe naes aae ais ces A EAE AEAEE EE EEE Ea aae esae EEEREN 12 
12. Süspicioús POWerShel Pact Vity seeria ee A E E EEES 12 
13. Unúsüal ACCOUNT DEN AVION? exces. ce.deiis stoves Sue ae ea iiaae kaea iea eE ea EAE AEREA 12 
14. Privilege escalation attempts: ..........cccccccccsssssssececececseseseaeeeeeceseaesesececsseseeseseeeescesesaeaeseeeessesaaaeaeeeesensees 12 
15. Failed service principal lOgins: .........ccccccccccssssssececeeeceeseseceeececeseuaeceeecsseseeaeseeeeecesesaeaeeeeeeesesuaeaeeeesensees 12 
16. Suspicious Azure AD SISN-INS: .............::scsssesssssnsnsnsnssneeececeaeeeceececececececeeeceeeeeeeeeeeeeseseeeeeseeeseseseseeseeeeees 12 
17. Unusual lateral movement: ..... eee cecceceeseceeeeceeeeeeaaeeeeaeceeaceceaeeceaeeeeaaeseeaaeeeaeeseaeeseeeeesaeeeeaeeeeaaeseeeeeeaes 12 
18. Azure resource modifications: EEN 12 
19. Unüsual DNS (EE 12 
20. Data access by unusual IP addresses: ..........cesessccececesesesaececeeecsseeaaaecececesesaeaeceeecesesaaaeseeeessesauaeaeeeeseesaes 13 
21; Laree data ex TEE 13 
22: Unüsüäl process e E en EE 13 
23. Suspicious Azure VM Ope ratiONS: ...........ccccccesesesesesessncesnsanausaauececececeaeaeeeeeeeeeeeeeeeeeeeeeeeeeseseeeseeeeeseeeees 13 
24. Failed SQL Database access attempts: ..........s.nnssssssreesnsssseseretrnsrsrrrrnnssssrerntsnssssretnnssssrsrrernssrnreernennsrnet 13 
25. Azure AD user password CHANGES: .......cccccccesessssecececescsecseaecececessaeaecececesesaeaeeececeseseaaeseeeessesaaaeaeeeeseneees 13 
26. ACCOUNT enumeration attempts ..............ccceceseeesesesesssesenssnsnsaaaecesecececeseeeeceeeeeceeeeeeeeeeeeeeeeseseeseeeeeeeeees 13 
27. SUSPICIOUS Azure Storage operations: ..........sssssssssssssssssssssssssssrsrsrsssrssrerrrtrtrerrrirnreretenetenstnnnennnnnensnnn 13 
28. Suspicious PowerShell modules Joaded: 13 
29. Failed Exchange mailbox login attempts:. 14 
30. Suspicious Azure Key Vault access: .......cccccccccsssssssssceececessesnesecesesesesaaeseccssseseaaeeesessseseaaeaeeessessesseaeeeeess 14 


31. 
32. 
33. 
34. 
35. 
36. 
37. 
38. 
39. 
40. 
41. 
42. 
43. 
44. 
45. 
46. 
47. 
48. 
49. 
50. 
51. 
52. 
53. 
54. 
55. 
56. 
57. 
58. 
59. 
60. 
61. 
62. 
63. 


Unusual IC En EE 14 
Failed: RDP:login-atte mts nagmenor ara hd eee Hin elie aise Ghai Ade taba 14 
SUSPICIOUS Azure FUNCTION operations: ..........cccccccccccceccececececececeseeeeeeceeusesesessssesesssusssssseseeeecersneeenanaes 14 
Unusual Azure AD application registrations: .........ccccccccccsssssssecececsssesssaeeeecesseseaeeeeeeseessesaaeeeseeseeseaaees 14 
SuspicioUs: network port Saa eseu EE Re Ad de dees ee Uses eee ase ee ee es 14 
Failed Azure VM login attempts:.... 14 
Unusual Azure NSG rule Modifications: oe eeeeecsecesceceeececeeeeceeeeeeaaeceaaeeeeaeeceaeeseaeeeeaaeeeaaeeteaeeenseeeea 14 
Unusual Azure AD group modifications: 0.0.0... ..ccececsesseceececeesesseaeeeecessesesaeeeeceseeeaeseeeescesseaaaeeeseesenseaaees 15 
Suspicious Azure Data Factory operations: ..........cccccccccecececececeseececeeecececeseeseseeesesessessssseseseesesenesenseeaes 15 
Unusual Azure Key Vault Secret accesses: ........cccccsesssceecesssseseeeeeecesseseuaeeeeceseeeaeeeeeescesseasaeeeseeseeseaaes 15 
Suspicious Azure Logic Apps operations: ..........ssssssssssssssssssesesesreseerererrreenenesesnnessssssnsssssssssnssssssssssssseno 15 
Unusual Azure AD role assignments: ........cccccccccessssssscecececseseseaecescceseseaseeeseessesesaeaeeeseessesaaeeeeseeseeseaeees 15 
Suspicious Azure Event Grid operations: ........ccccccccccsessssececccecessnseseeeeecessaeaeeeeeceseaaaeeeeeessessaaeaeeeeseesees 15 
Unusual Azure AD application role assignments: ...........ccccsesssccececessesseaeceeceseesesaeeeeesceesesaeeeeseeseeseaaees 15 
Suspicious Azure Service BUS operatons 15 
Failed Azure Function execution attempts: ..........ccccsccccessesssseecececesseseaaeeeeceseeseaeseeeeseeesesaaaeeeseesenseaaes 15 
Unusual Azure AD guest user additons: 16 
Suspicious Azure Event Hub operations: ........c.ccccccccssssssececececesseseeeeecessaeaeeececeseseeaeeeeeessesseaeaeeeeseesees 16 
Unusual Azure AD risky sign Ins... 16 
Suspicious Azure loT Hub operations: ..........ccsccccccecsssssssecececececseeseeeesceseaeaecesecsseeseaeseeeeeseeaaeaeeeescesees 16 
Unusual Azure AD administrator role assignments: ...........cccscccccecesssssseeecececeeseaeaecesessseseeeeeeeessnssaaees 16 
Suspicious Azure Container Registry operations: ..........ssesssssssssessesesrererrrsrreresesesessssssssssssnssssssssssssssseno 16 
Failed Azure Logic App execution attempts: ..........cccccccccscsssssseccceceesesssaeeeeceseesnseseeeescesseseaeeeseeseeseaaees 16 
Unusual Azure AD password reset attempts: ........cccccccccccssssssecccecessesesaeececesesssseseeeessessesesaeeeseesensenaees 16 
Suspicious Azure Kubernetes Service operations: .......cccccccccscssssssecececessessaeeeeecesesseaeeeeeesseseaeeeseesensees 16 
Failed Azure API Management Operations: ...........cccssccccessssessseeeeecesseseeaeeeeceseesnseseeeessessesaaaeeeseesenseaaes 17 
Unusual Azure AD consent grants: .........cccccccccecessesssecececeseeseaeseceeceeseeaaeeeeesseeseaaeeeeessessesseeeeseeseessaaeas 17 
Suspicious AzZUre Batch OPeratiOns: ..........ccccessssccececssesssaecececscessaeeeeececesssasaeeeeecssesaaaeeeesessesaaaeaeeeessesees 17 
Failed Azure Monitor Alert ACtions: ...... cece eecceceseeeeseceesaeceeaeeceseeceaeeeeaaeceaaecseaeeceaeeseaeeeeaaeeeaaeeneaeeseaeeees 17 
Unusual Azure AD OAuth application Consente: 17 
Suspicious Azure HDInsight Operations: .........c.ccccccccssssssececececessneseeeeecesesaeaecececeseseaeeeeeessesseaeaeeeeseesegs 17 
Failed Azure Key Vault access attempts: ..........cccccsesssccccecsssesseaeeescessesesaeeeeceseeseaeseeeescessesaaaeeeseesseseaaees 17 
Unusual Azure AD domain role assignments: ...........ssssessssssseseessssssrserrtssssernesssssrrernrsssseseressssesreennesno 17 


64. 
65. 
66. 
67. 
68. 
69. 
70. 
71. 
72. 
73. 
74. 
75. 
76. 
77. 
78. 
79. 
80. 
81. 
82. 
83. 
84. 
85. 
86. 
87. 
88. 
89. 
90. 
91. 
92. 
93. 
94. 
95. 
96. 


Suspicious Azure Media Services operations: 17 
Failed Azure Front Door operatons: a aa a a a aaa 18 
Unusual Azure AD B2B guest user additions: ...........ssssssssssssessressssssererntsssrsernesnsssrreenrsssseneressssesreennesno 18 
Suspicious Azure Machine Learning Operations: .........cccccccccscesssssseeececssseseaeeeeeceseesaaeeeeeesseseaeeeeeeseesees 18 
Failed Azure API Gateway Opérations: dnimi i ies aa a eia Eas 18 
Unusual Azure AD B2C user sign-upe: 18 
Suspicious Azure Managed Identity operations: .........cccccccccscsssssceeececssseseaeeececesesseaeseeeessessaeaeeeeseesees 18 
Failed Azure Data Factory Operations: an a iia ia aaa aaa aa a a kads 18 
Unusual Azure AD B2C User password resets: .......cccccccccesssssssecceecesseseaeececeseeseaeseeeessessessaeeeseeseeseaaees 18 
SUSPICIOUS Azure CDN operatons sceite ninien siie kaelani inken ias senan ean iara tesine d niies 18 
Failed Azure Functions EXECUTIONS! EEN 19 
Unusual Azure AD B2C user profile updates. 19 
SUSPICIOUS Azure Logic App runs 19 
Failed Azure Key Vault secret access attempts: ........ccccccccssssssecccecessessaeseecessesesasaecescessessaaeeeseeseeseaaees 19 
Unusual Azure DevOps pipeline MOIfICATIONS:! ..........ccccccsessecececeesesssseceececeesesaeaecescesseseeaeeeseesenseaaees 19 
Suspicious Azure SQL Database Operations: ..........ccccecsssscecececessnneceeececessaeaeeececeseseaaeeeeeessesseaeaeeeeseesees 19 
Failed Azure Container Registry operatons 19 
Unusual Azure API Management service modifticatons: 19 
Suspicious Azure Cognitive Services operations: .........cccccecececeseeeeceeeceeeeesesseseseeeeeseseseeesesesnensnsnsnensnenea 19 
Failed Azure Batch Operations: EEN 20 
Unusual Azure Data Lake Operations: .......cccccccccessssssscececesesseseaeceecesseseaaeeeeeesseseeaeeeeesessseaaeeeeseesseseaeess 20 
Suspicious Azure Search Service modifications: ..........c:cccccccecessnseceeeeecesseseaecececeseaaaeseeeessesaaaeaeeeesensees 20 
Failed Azure loT HUD operatons 20 
Unusual Azure Data Explorer (ADX) Cluster operations: .......cc.ccccsccccesssscceessececsesececeeseeeceseeeeeeseeeeees 20 
Suspicious Azure Cache for Redis operations: ...........ccssscscccceeesssseceeececeseneaecececsseseaeeeeeessesssaeeeeeeseesees 20 
Failed Azure Kubernetes Service operations: ........cccccccccesessssseccceceesessaeeeeceseesseseeeeseessesaaeeesessenseaaees 20 
Unusual Azure Functions executions: 0... eeececeseceeneceeaeceeaceceeeeceaeeeeaaeceaaecseaeeceeeeeeaeeeeaaeeeaaeseeaeeenaeeeea 20 
Suspicious Azure Databricks operations: ........cccccccccessssssscecececessneseeeescesesaeseeececeseaeaeeeeeessessaaeaeeeesensees 20 
Failed Azure API Management Service operations: ...........ccccssccccecessessseeceececseseaeeeeeecessesnseeeeseeseessaaes 21 
Unusual Azure Bot Service modifications: «0... ee eccesceceeeeeceeeeceaeeeeaaeceaaeceeaeeceeeeseaeeeeaaeeeeaeeeeaeeeneeeed 21 
Suspicious Azure SQL Database Operations: ..........ccccecsssscccececesscneceeececsseaeaeceeeceseseaeeeeeessssseaeaeeeesensees 21 
Failed Azure Container Instance operations: ...........sssssesssssssesrressssssrrerrrsssrserntsssrsrrersnssssenrresnssssreeenesno 21 
Unusual Azure API Management API Modifications: ............cccccccccessssssseececesessecteeeeesesssesseeeeseesseseaaees 21 


97. Suspicious Azure Cognitive Search Operations: ..........cccccesssscceecessessaeeececssesseaeseceessessaeaeeeesssseseaeeesess 21 


98. Failed Azure: Batch: Operaflonëz eener Sege caked AHA r a A ook dev GENEE: 21 
99. Unusual Azure Data Factory pipeline executions: ..........cccesscccecessessaeeeceessesssaesecesseeseaeaeeessesseteuaeeesens 21 
100. Suspicious Azure Notification Hubs operations: .............ssssssssesssssssserressseserrssrssseeernrssssesenesnssesreeneesno 21 
101. Failed Azure Event Hubs Operations: senem eneeier aae a e aat 22 
102. Unusual Azure Functions executions: ......esssssssssssssisssissssssrstrsinstisssisstessttssisstinstenstenstssesnnetnnsenneet 22 
103. Suspicious Azure HDInsight operations: .......c.cccccccssssssccececsssesaeeececscesseaeseeeesceseaeaeseeeeeseesaeseeeeseeseas 22 
104. Failed Azure Key Vault access attempts: .......c.ccccccccssssssccececsssessaeeeeeessesssaeaeeeeecesesaaaeeeeseesessaaeaeeeesensees 22 
105. Unusual Azure Kubernetes Service operatons 22 
106. Suspicious Azure Logic Apps operattons 22 
107. Failed Azure Monitor Alert actions: 00... .eeceeeccessseeeseeceesceceeeeeeeeecsaeeeeaeeseaaeseeaeecseeeesaeeeeaeeseaaeseeeeesaes 22 
108. Unusual Azure Media Services operations: ..........cccecsssccccecessnseaececececssseaeseceeeceseaeaeeeeeeesessaaeseeeeseesees 22 
109. Suspicious Azure API Gateway operations: 22 
110. Failed Azure Logic App execution attempts: ...........ccccccccccccessssssecececesssssaeseeeeeceseseaeeeeeessessaaeseeeeseesees 23 
111. Unusual Azure AD password reset attempts: .........ccccccccccccessssnesecececeeseseseeeesceseasaeeeesesseeseaeseeeeseesees 23 
112. Suspicious Azure Stream Analytics operations: ........ccccccccccsssssssececececesseseseeeescesseesaeseeeeeseseaaeeeseeseesees 23 
113. Failed Azure SQL Database operations: ........c.cccccccessssssccececessessaececeesseseeaeseeeescesesaeaeseesesseeseaeeeesesensees 23 
114. Unusual Azure AD guest user additions: 0.0... eccceescccececesesssaecececesesssaeseeeeecesesasaeceeseeseeseaeseeeeseneaes 23 
115. Suspicious Azure CDN operations: ..........ccsessssssssssssecececeaeaeaeceaeecececececeseeeeseeeeeseseseeeeeeeeeeeeseeeeseeeeseeess 23 
116. Failed Azure Monitor Alert actions: .......ceeceeeceesseeeseeceesceceeeeeeeeesaaeeeeaeeeeaaeseeeeesaeeeesaeeseaeeeeaaeeeeeeeeaes 23 
117. Unusual Azure AD B2B guest User additions: ..........cccccccccecesessceceeeeecessneseeececeseaeaeeeeeeesessaaeeeeeesensees 23 
118. Suspicious Azure Redis Cache operatons: 23 
119. Failed Azure Front Door Operations: .........cccccccccccscssssssseeececessessaececeesceseaaeceeeeecesesasaeeeeeessesaaaeaeeeeseesaes 23 
120. Unusual Azure AD B2B user slgn-Insr riar nire iennia norik eniste avies 24 
121. Suspicious Azure Search service modifications: ........c.cccccccesessssececececessesececececeseaaaeceeeeesesauaeseeeesensees 24 
122. Failed Azure Data Lake operatons:. 24 
123. Unusual Azure AD B2B user password F@SetS!.........ccsscccccecsssssaececeescesseeseceeecesseeaeeeeeeeseesaaeaeeeeeeesees 24 
124. Suspicious Azure Machine Learning operations: .........cccccccccssssscececeseesessceeececeseeaeeeeeeesessaaeeeseeseneees 24 
125. Failed Azure API Gateway operations: ........cccccccccscsssssssecececessessaeeeeeessessaaeseeeescesaaeaesecesesesaaaeaeeeeseusaea 24 
126. Unusual Azure AD B2B user profile updates: ..........cccccccccecessssnsececececessnseceeeeecessaaaeceeeeeseeseaeeeeeesensees 24 
127. Suspicious Azure Logic APP rupns: 24 
128. Failed Azure Key Vault secret access attempts: ........cccccccccccssssssececececesseseseeeescessessaeeeeeeeseseaaeeeeeeeeesees 24 
129. Unusual Azure DevOps pipeline modiftcatons. 25 


130. 
131. 
132. 
133. 
134. 
135. 
136. 
137. 
138. 
139. 
140. 
141. 
142. 
143. 
144. 
145. 
146. 
147. 
148. 
149. 
150. 
151. 
152. 
153. 
154. 
155. 
156. 
157. 
158. 
159. 
160. 
161. 
162. 


Suspicious Azure SQL Database Operations: ..........ccecessssccccecesssneaeeececesessaaeeececeseeseaeseeseseessaaeaeeeeseeseas 25 


Failed Azure Container Registry operatons 25 
Unusual Azure API Management service modificatons: 25 
Suspicious Azure Cognitive Services operations: .........cccccccccesseceeseeceeeeecesseeeeeeeseseseseseseeesnenenenenenenenes 25 
Failed Azure: Batchioperations? ive. ciss ss feee a cathe Sekar eas geegent de AEN 25 
Unusual Azure Data Lake operations: ........c.cccccccssssssscececsssesseaeeeecessesssseeeeesseeseseaeesescesseaueeeeeceseesaaeess 25 
Suspicious Azure Search service modifications: ..........cccccccecssssssseeeeeceseessaeeececeseasaeseeeessessaaeaeeeeseesees 25 
Failed Azure loT Hub Operations: "ENEE 25 
Unusual Azure Data Explorer (ADX) Cluster operatons. 26 
Suspicious Azure Cache for Redis operations: ..........ccssscccccecsssssseeececeseeseaeeeeeeeseeseaeaeesessessaeaeeeesensees 26 
Failed Azure Kubernetes Service Operations: ........cccccccccsssssssecececesseseaeeecescseseaeeeeessessesssaeeeeeeseeseaaees 26 
Unusual Azure Functions executions: 00... eeeeeeseceecetesceceeeeeceeeeceaeeeeaaeeeaaeseeaeeeeeeecsaeeeeaaeeeaaeeeeaeeeeees 26 
Suspicious Azure Databricks operations: ........cccccccccessssssecececesscnsaecececeseseeaeceeecssesaaeseeeessessaaeeeeeesensees 26 
Failed Azure API Management Service operations: ..........ccscsccccecessesssececeeecessnssseeeescessesaeeeeeesseesnaaees 26 
Unusual Azure Bot Service modifications: «2... eee ee cceeesseceeeeeeeeeeceaeeeeaaeeeaaeceeaeeeeeecaeeeeaaeceaaeeeeneeenaees 26 
Suspicious Azure SQL Database Operations: ..........cccccsessccececesssnececececeseneeaesececesesssaeseeeeseessaaeaeeeesensees 26 
Failed Azure Container Instance operations: .........cccccccccsssssssecececessessneeceescesseeseeeesesesesssaeeeeceseeseaaees 26 
Unusual Azure API Management API Modifications: ...........c:cccccccsessssssececscessessseeeescessessaeeeeeesseeseaaees 27 
Suspicious Azure Cognitive Search Operations: .........cccccccccccssssssececececsessaesececsseeseaeseeeessessasaeeeeseesees 27 
Failed Azure Batch Operations: miesien aia aiee ainan eia AEA eE o EE A iaia 27 
Unusual Azure Data Factory pipeline executions: ...........ccccesccccecesessssecceeeeceesesaseeeeseesseseaeeeeeesseeseaaaes 27 
Suspicious Azure Notification Hubs operations: ............sssssesssessssssrrersrsssrrerresssssereesnssssenenessssssrrennesns 27 
Failed Azure Event Hubs Operations: ........cccccccscsssssscecececsssesseaeececesseseeaeeeeessessnsesaeeeseesseaueeeeeesseeseaees 27 
Unusual Azure Functions EXECUTIONS! 00... eeececeeeeeeeceeesaeceeeeeceeeeceaeeeeaaeseaaecsaeeeeeeecsaeeeeaaeseaaeeeeeeeeeees 27 
Suspicious Azure HDInsight Operations: .........cccccccccessssssecececesssssaeeececesesseaeeeeeceseseaaeeeeeesesesaaeaeeeesensees 27 
Failed Azure Key Vault access attempts: ..........ccccccsssssccecsssesseaeececessesesaeeeeessesseseeeeeescesseauaeeeeesseeeeaaes 27 
Unusual Azure Kubernetes Service operatons 28 
Suspicious Azure Logic APPS operattons: 28 
Failed Azure Monitor Alert actions: EEN 28 
Unusual Azure Media Services Operations: .........ccccsccccccsssssssecececesseseseeeeesessseeseeeeseeeseseaaeeesesseeseaaees 28 
Suspicious Azure API Gateway operations 28 
Failed Azure Logic App execution attempts: .........ccccccccccsssssssecececesseseseeeeessesseseeeeeesesssesauseeeeesseesenaees 28 
Unusual Azure AD password reset attempts: ........ccccccccccsssssseceeecesseseaeseeescesseaeeeeeseessesesaeeeeeesenseaaaes 28 


163. 
164. 
165. 
166. 
167. 
168. 
169. 
170. 
171. 
172. 
173. 
174. 
175. 
176. 
177. 
178. 
179. 
180. 
181. 
182. 
183. 
184. 
185. 
186. 
187. 
188. 
189. 
190. 
191. 
192. 
193. 
194. 
195. 


Suspicious Azure Stream Analytics operations: .........cccccccccecssssssecececeseeseaecececeseeseaeseeeesseseaaeaeeeeseesees 28 


Failed Azure SQL Database Operations: .........cccccccessssccceceesesseaeeeeceesessaeeeeescessneseeeescessessaaeeesesseeseaaees 28 
Unusual Azure AD guest user additions: .0........ceccecesscccecessesseeeeeecessesesaeeeeesseeaeseeeescesseauaeeesessenseaaaes 29 
SUSPICIOUS Azure CDN operations: ...........ccccccccccececeececececececececeseueeeueeeusususessesseeseeseesesesesnececenesensaaees 29 
Failed Azure Monitor Alert actions: ....... cee ceeccecesecesneceesceceeeeeceeeeceaeeeeaaeeeaaeceaeesaeessaeeseaaeeeaaeeeeaeeeneees 29 
Unusual Azure AD B2B guest User additions: .........c.cccccccssssseceeecessesesaeceecscessesaeeeeeseesseseaaeeeeceseesnaaees 29 
Suspicious Azure Redis Cache operatons: 29 
Failed Azure Front Door operatons: eei iaiia aaiae iaie irkaii RASA Ee Ea aE iia 29 
Unusual Azure AD B2B user aign-Jnsr 29 
Suspicious Azure Search service modifications: ..........cccccccecessssceeececeseessaecececeseaaeseeeesseaueaeeeeseesegs 29 
Failed: Azure: Data Lake operation Siinse en ed a a Atarra A eege 29 
Unusual Azure AD B2B user password resets: .......cccccccccsssssssecececesseseseseeesceeseasaeeescessessaaeeeeeeseeseaaees 30 
Suspicious Azure Machine Learning Operations: .........c.cccccccssssssecececessssaecececesesseaeseeeessesaaeaeeeeseeseas 30 
Failed Azure API Gateway Operations: .......c.ccccccccsssssscccecsssesssaeeeecesseseaeeeecscseseseeeeeeseessesaeeeeseeseesaeeas 30 
Unusual Azure AD B2B user profile updates: .........ccccccccessssssccececesseseaeceeesceeseaseeeeseeeseeaaeeeecesseseaaees 30 
SUSPICIOUS Azure Logic App run... 30 
Failed Azure Key Vault secret access attempts: .........ccccccessssccececessessneseecsceeseseaeceseesseseaeeeeecsseeseaaees 30 
Unusual Azure DevOps pipeline modifcatons: 30 
Suspicious Azure SQL Database Operations: ..........ccccessssccececessnssaeeececesessnaecececsseseaaeseeeeseessaeaeeeeseeseas 30 
Failed Azure Container Registry operatons 30 
Unusual Azure API Management service modificatons: 31 
Suspicious Azure Cognitive Services operations: ........cccccccceceseeceeececeeececesseseeseesesesesesesesesnensneesnenenenes 31 
Failed Azure Batch Operations: en aa ara aea a E EA e A E a e a aaa 31 
Unusual Azure Data Lake Operations: i iaraa aaa ieia a a t iaa ia 31 
Suspicious Azure Search service modifications: ..........cccccccecessssssecececeseesnaecececeseeaaeseeeessessaaeaeeeesensegs 31 
Failed Azure loT Hub operatons ..........cccesssccccesesssseceeceeceeseseeaeececessesesseeeeesseesssaeeeescessesaueeeeeesseeeaaaeas 31 
Unusual Azure Data Explorer (ADX) cluster operatons. 31 
Suspicious Azure Cache for Redis operations: ..........cccsscccccecssssssceeececseseseaeeeeeesseeseaeeeeeeseessaaeaeeeesenseas 31 
Failed Azure Kubernetes Service operations: ........cccccccccsssssssecececessessececessesseseeeeescessesssaeeeeeesseseaees 31 
Unusual Azure Functions executions: .........ssssssssssesssesseesseesstestesstesstenstssssessssssessseesseesstestesstessteseenset 32 
Suspicious Azure Databricks operations: ........cccccccccsssssscccccecesecseaeeeeecesesseaecececsseeuaeseeseseessaaeaeeeeseesees 32 
Failed Azure API Management service operations: ..........ccscsccccecessesssecececscessesneeecescessessseeeeeeesseseaaees 32 
Unusual Azure Bot Service modifications: ......essssssssssssissrsssrssrrssississtitssissttssttssttsstesstsstenstesstenet 32 


196. 
197. 
198. 
199. 
200. 
201. 
202. 
203. 
204. 
205. 
206. 
207. 
208. 
209. 
210. 
211. 
212. 
213. 
214. 
215. 
216. 
217. 
218. 
219. 
220. 
221. 
222. 
223. 
224. 
225. 
226. 
227. 
228. 


Suspicious Azure SQL Database Operations: ..........ccccesssccececesscssaeeececesessaaeeececesesssaeseceeseessaaeaeeeesenseas 32 


Failed Azure Container Instance Operations: ........ccccccccccsssssssscececeesessnseeeeesceeseeseeeeseeesessaaeeeecsseeseaaees 32 
Unusual Azure API Management API Modifications: ...........c.cccccccssssssssececesessesteeeeescessessseeeeeeesseseaaees 32 
Suspicious Azure Cognitive Search Operations: .........cccccccccccsssssssecececesesssaecececeseeseaeeeeeessessaaeaeeeeseesees 32 
Failed: Azure: Batchoperations naa bathe. eeh aves ee aaa a BAAR Ae 32 
Unusual Azure Data Factory pipeline executions: ...........ccccesccececessssssecceeeeseeseaseceesesseeaseceeeeesseseaaes 33 
Suspicious Azure Notification Hubs operations: ............sssssssssssssssssrersrsssrrerresssssrrersnssssesenesssssserereesns 33 
Failed Azure Event HUDS Operations: ........cccccccsssssssssecececsssesseaeceecessesesaeeeeesssssesesaesescesseeaeeeeeesseeseaeeas 33 
Unusual Azure Functions executions: 00... eeeceeeseceeseeesceceeneeceeeeceaeeeeaaeeeaaeseaeeeeeeecsaeeeeaaeseaaeseeaeeeeees 33 
Suspicious Azure HDInsight Operations: .........cccccccccesssscecececesssnsceeececesesseaecececesesssaeseeeesesssaaeaeeeeseesees 33 
Failed Azure Key Vault access attempts: ..........ccccccsssssccecsesessaeececessesesaeeeeessessnseseeeescesseaaaeeesesseeseaaees 33 
Unusual Azure Kubernetes Service operatons 33 
Suspicious Azure Logic Apps operatons: 33 
Failed Azure Monitor Alert actions: ........eceeeccecssecesneceesceceeeeeceeeecaeeeeaaeseaaeseeaeecaeecsaeeseaaeeeaaeeneaeeeeees 33 
Unusual Azure Media Services operations: .........ccccsccccecsssesssecececesseseseececseessneseeeeseessessaaeeesesseeseaaees 34 
Suspicious Azure API Gateway operations 34 
Failed Azure Logic App execution attempts: ........cccccccccccsssesssecececsesessceeeeessesseseseeeesesesesesaeeeecesseseaaaes 34 
Unusual Azure AD password reset attempts: ........ccccccccccssssssecececessesesaeseeeseseseaeeeeeseessesaaeeeeeesenseaaees 34 
Suspicious Azure Stream Analytics operations: .........cccccccccecsssssssecececesesseaecececesseseaeseeeesseseaaeaeeeesensees 34 
Failed Azure SQL Database operations: .........ccccccesssssccecsssesssaeececesseseaeeeecscsssnseseeeescesseseaaeeeeesseeseaaees 34 
Unusual Azure AD guest user additions: ...........ssessssssesesresssssereesrsssseseressssssrrernssssrnereesnssssrennessssesenena 34 
SUSPICIOUS Azure CDN operatons ssninin anin a aapi r E a a ra aiai 34 
Failed Azure Monitor Alert actions: EEN 34 
Unusual Azure AD B2B guest user additions: ............ssssssessssssseesesssseserersssrsrrerntsssrrereesnssnsreenesssseseeenn 35 
Suspicious Azure Redis Cache operatons: 35 
Failed Azure Front Door Operations: .......cccccccccsssssssssecececssseseeaeeeecessesesaeeesessessesaeeeeescessesaueeeeeceseessaeess 35 
Unusual Azure AD B2B user aign-Jnsr 35 
Suspicious Azure Search service modifications: ..........cccccccecsssstceeececesseseaecececeseaaeseeeescussaeaeeeeseesees 35 
Failed Azure Data Lake operatons 35 
Unusual Azure AD B2B user password resets: .......cccscccscssssssecececesseseseseececeesesasaecescessesesaeeeeceseeseaaees 35 
Suspicious Azure Machine Learning Operations: .........c.cccccccsssssssccececssssssaecececesesseaeeeeeescessaeaeeeeseesees 35 
Failed Azure API Gateway Operations: .......c.cccccccssssssssccecsssessaeeeecessesesaeeeeessesseseseeeeseesseeaeeeesesseeseaeass 35 
Unusual Azure AD B2B user profile updates: .........ccccccccssssssecececesseseneceeescesseaseeeescessesaaeeeecesseseaaees 36 
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Failed Azure Key Vault secret access attempts: .........cccccsssssecccecessessssesecessessessaecescessessaeeeseesseeseaaaes 36 
Unusual Azure DevOps pipeline modifcatons: 36 
Suspicious Azure SQL Database Operations: ..........ccecessssccececesssssaecececesesseaecececeseseeaeseeeessessaaeaeeeesensees 36 
Failed Azure Container Registry operatons 36 
Unusual Azure API Management service modificatons: 36 
Suspicious Azure Cognitive Services operations: .........cccccececeseeceescececececesseseeeeesesesesesesesesnenenessnsneneaes 36 
Failed Azure: Batch Operations: .ccccccisicses Seccesvivvesedecdseesozsgacs EENS 36 
Unusual Azure Data Lake operations: ........ccccccccessssssseececsssesseaeececsssesesaeeeeessesseeseeeeseesseseaeeeeeesseesaaeeas 37 
Suspicious Azure Search service modifications: .........ccccccccecesesscececececeesuaecececeseauaeseeeesseseaaeseeeeseesees 37 
Failed: Azure IOT HUD: operatio NSi rata a aee RA sas sdeavossscbasssesuesesecsenvvest a aaiae 37 
Unusual Azure Data Explorer (ADX) cluster operatons. 37 
Suspicious Azure Cache for Redis operations: ..........ccssscccccecesscsaeeececeseeseaeeececeseeseaeeeeseseeesaaeaeeeeseesegs 37 
Failed Azure Kubernetes Service operations: ........cccccccccessssssecececeeseseeseccecesseseeeeeeceesesssaeeeeeeseeseaaees 37 
Unusual Azure Functions executions: .......sesssesesrississrissrissristisstisstisstesstttstissttasttasteastestenstensteseenet 37 
Suspicious Azure Databricks operations: ........ccccccccccssssscccececessnseaeeeeeeesecseaecececssesaaaeseesessussaaeaeeeesensees 37 
Failed Azure API Management service operations: ...........cccsccccecesssssseceeeeeceesesaeeeeecesseseaeeeeecesseseaees 37 
Unusual Azure Bot Service modifications: .......sessesesssessssrssrssrssrirsrissirstesssissttsstenstesstesstnstensteestennt 38 
Suspicious Azure SQL Database Operations: ...........cecessssccececessssaeeececesesseaeceeeceseseaaeeeeeeseessaeaeeeesensees 38 
Failed Azure Container Instance operations: .........cccccccccsssssssececececsesenseeeeescesseeaeeeessesseseaaeeeecesseseaaees 38 
Unusual Azure API Management API modifications: ...........c:cccccccssssssseececeseesessseeeescessessaeeeeeesseeseaaaes 38 
Suspicious Azure Cognitive Search Operations: .........cccccccccecsssssssecececeseessaeeeeeceseeseaeseecessessaaeaeesesensees 38 
Failed Azure Batch Operations: ae ae ea a EA A E a e aaa 38 
Unusual Azure Data Factory pipeline executions: ...........cccsesccececessesssecceececesseaeeeeesceseeeaeeeeeesseessaaees 38 
Suspicious Azure Notification Hubs operations: ............ssssssssssssssssrrensrsssrrerresssssereesrssssesenesssssserrernesns 38 
Failed Azure Event Hubs Operations: .........ccccccsssssssscecccecsssesesaeeeecesseseaaeeeeessessesesaesescsssesaueceeeeeseeseaeess 38 
Unusual Azure Functions executions: 00... eeeceeeseceesceeesaeceeceeceeeeceaeeeeaaeseaaecsaeeeeeeecaeeeeaaeeeaaeeeeaeeeeees 39 
Suspicious Azure HDInsight Operations: .........ccccccccccssssssccececsssnseaeeeeeceseseeaeeeeecsseseeaeeeeeeseessaaeaeeeesensees 39 
Failed Azure Key Vault access attempts: ..........ccccccsssscccecssssssaeeeecessesesaeeeeessesnseseeseseesseaseeeeessseeeaaees 39 
Unusual Azure Kubernetes Service operatons 39 
Suspicious Azure Logic APPS operattons: 39 
Failed Azure Monitor Alert actions: ...... cee cceeececescceseeceecceceeeeeceeeeceaeeeeaaeeeaaeseeaeecaeecsaeeeeaaeeeaaeeseaeeeeees 39 
Unusual Azure Media Services operations: .........cccccscccecssssssseceeecessessneeeeescesseseseeeeseessessaaeeesesseeseaaees 39 
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Failed Azure Logic App execution attempts: ........cccccccccccsssssssecececessesssseeeeessseseeseeeesseeseaaeeeeeeseeseaaees 39 
Unusual Azure AD password reset attempts: .......cccccccccccsssssseceeececsessaeseeeesesseaseeeescesseseaeeesesseeseaaes 40 
Suspicious Azure Stream Analytics operations: ............ssssssessssssssesrensrsssrrerressssssrennnssssesenesssseserrernesno 40 
Failed Azure SQL Database operations iaeei ie aaa aa s A ea e EEA TETES 40 
Unusual Azure AD guest user additions: ..........ceceecssscccecessesseeceeecessesesaeeeeescseseseseeeesceseesaaaeeeecesenseaaes 40 
Suspicious Azure CDN operations: .........ssssssssssssssssssseserererererererrrrerrererreseneresesesnsssssssssssssssssssssssssenenno 40 
Failed Azure Monitor Alert actions: ........eeceeccecesecesneceesceceeeeeceeeeceaeeeeaaeeeaaeceeaeecaeesaeeeeaaeeeaaesseaeeeneees 40 
Unusual Azure AD B2B guest user additions: ............ssssssesssssssessessssesrersssrsreerntsssrrereennssssrennessssesenenn 40 
Suspicious Azure Redis Cache operatons: 40 
Failed Azure Front Door operatons: a eee ni iia A n E AE EEE E OA AE ta aaa ias 40 
Unusual Azure AD B2B user slgn-Jnsr 41 
Suspicious Azure Search service modifications: .........ccccccccecsssssscecececeseeseaecececeseeuaeseeeesseaaeaeeeeseesees 41 
Failed Azure Data take operations sioi teei aa aai eA AEREE AEEA ER 41 
Unusual Azure AD B2B user password resets: .......cccccccccssssssseceeeceseeseaeeeecsceeseseseeeseesseaaeeeeeeseeseaaees 41 
Suspicious Azure Machine Learning Operations: ...........sssssssssessssssrrensrsssrrerresssssrreesnssssenenessssssrreeeesns 41 
Failed Azure API Gateway Operations: .......c.ccccccccsssssssccecessessaeeeecessessaeeeeescesseseeeeeescessessaeeeeeesseeseaeess 41 
Unusual Azure AD B2B user profile updates: .........ccccccessssssecececessessaececesceeseaeeeeescesseaaaeeeeesseeseaaees 41 
SUSPICIOUS Azure Logic App run... 41 
Failed Azure Key Vault secret access attempts: .........ccccccscsssecececessesssneceecscesseseaeeescessessaeeeeeeesseseeaees 41 
Unusual Azure DevOps pipeline modifcatons: 42 
Suspicious Azure SQL Database Operations: ..........ccccessssccececesscssaecececesesenaecececeseaaeeeeeeseessaeaeeeesensees 42 
Failed Azure Container Registry operatons 42 
Unusual Azure API Management service modificatons: 42 
Suspicious Azure Cognitive Services operations: ........ccccccececeseececececeeeeecesseseeeeesesesesesesesesnensneeensnsnenes 42 
Failed Azure Batch Operations: .........ccccccsesssccecssessesecaeceecesseseeaeeeecesseeaseeeecssessesaaaeeescessesaueeeeeessseseaaaes 42 
Unusual Azure Data Lake operations: ........c.cccccccssssssscccecsssesesaeeeecessesesaeeeeescesseseseeeescessesaeeeeeeeseesaaeass 42 
Suspicious Azure Search Service modifications: ..........cccccccecsssssssecececessessaececececesauaeceeeesseseaaeaeeeesensegs 42 
Failed Azure loT Hub operatons 42 
Unusual Azure Data Explorer (ADX) cluster operatons. 43 
Suspicious Azure Cache for Redis operations: ..........ccssccccccecesssssceeeeececseseaecececeseeseaeeeeeeseessaeaeeeesensegs 43 
Failed Azure Kubernetes Service operations: ........ccccccccccssssssccececessesecesecessessesseeeescesseaaeeeeesseeseaaes 43 


Unusual Azure Functions executions: ..........ssssssesssssrssesrssssretrrstrrussssstrretrinrssustrntttinessuetntesrenessssenseenee 43 


295. Suspicious Azure Databricks operations: ........cccccccccesssscecececesenssaecececeseseeaeeececeseeeaeseeeessesssaeaeseeseesees 43 


296. Failed Azure API Management Service operations: .........ccccccssssssccececssesssaeeececesesesaeeeeeeesessaeaeeeeseesees 43 
297. Unusual Azure Bot Service modifications: 0... ee eeecsecessceceeeceeeeeceeeeeaeeeeaaeeeeaeeeeeeesaeeeeaaeeeaaeeeeeeeeaes 43 
298. Suspicious Azure SQL Database Operations: ...........ccccsssccececesenseaeeeeeceseseaaecececesesseaeeeeeesseseasaeeeesensees 43 
299. Failed Azure Container Instance operations: ........ccccccccsssssscceecessesssececcessesssaececeeseeseceaeeeesessesseaeeeeens 43 


Top 300 Azure Sentinel Used Cases KOL (Kusto Query Language) queries. 


1. Failed login attempts: 
SecurityEvent 
| where EventID == 4625 


2. Successful login attempts: 
SecurityEvent 
| where EventID == 4624 


3. Brute-force attacks: 

SecurityEvent 

| where EventID == 4625 

| summarize count() by TargetUserName 
| where count_ > <threshold> 


4. Account lockouts: 
SecurityEvent 
| where EventID == 4740 


5. User account changes: 
SecurityEvent 
| where EventID == 4738 or EventID == 4720 


6. Privileged account usage: 
SecurityEvent 
| where EventID in (4672, 4673, 4688) and AccountType == 'User' 


7. Suspicious process execution: 
SecurityEvent 
| where EventID == 4688 and InitiatingProcessCommandLine has am (‘powershell.exe’, 'cmd.exe') 


8. Data exfiltration: 
SecurityEvent 
| where EventID == 5145 and AccessMask == '0x2' 


9. Network traffic anomalies: 
SecurityAlert 
| where ProviderName == 'MicrosoftNetworkProtection' and AlertType == 'AnomalousNetworkTraffic' 


10. Malware detection: 
SecurityAlert 
| where ProviderName == 'MicrosoftDefenderATP' and AlertType == 'MalwareDetection' 


11. DDoS attacks: 
SecurityAlert 
| where ProviderName == 'DDoSProtection' and AlertType == 'DDoSGeneric' 


12. Suspicious PowerShell activity: 
SecurityEvent 
| where EventID == 4104 and (CommandLine has_any ('Invoke-Expression’, 'Invoke-Script', 'iex')) 


13. Unusual account behavior: 
SecurityEvent 
| where EventID == 4724 or EventID == 4725 


14. Privilege escalation attempts: 
SecurityEvent 
| where EventID == 4672 and NewProcessName contains 'cmd.exe' 


15. Failed service principal logins: 
AuditLogs 
| where OperationName == 'Sign-in by service principal’ and ResultType == ‘failure’ 


16. Suspicious Azure AD sign-ins: 
AuditLogs 
| where ActivityDisplayName == 'Sign-in' and ResultType == ‘failure’ 


17. Unusual lateral movement: 
SecurityEvent 
| where EventID == 4624 and LogonType == 3 


18. Azure resource modifications: 
AzureActivity 
| where OperationName == 'Microsoft.Resources/subscriptions/resourcegroups/write' 


19. Unusual DNS queries: 
DnsEvents 
| where QueryType == 'A' and isnotempty(QueryName) and notstartswith(QueryName, "Microsoft! 


20. Data access by unusual IP addresses: 
SecurityEvent 
| where EventID == 4663 and (SourceAddress notlike 'x.x.x.x' and SourceAddress notlike 'y.y.y.y') 


21. Large data exports: 
AuditLogs 
| where OperationName == 'Export' and ResultType == 'success' 


22. Unusual process creation: 
SecurityEvent 
| where EventID == 4688 and (NewProcessParentName != 'C:\Windows\System32\svchost.exe') 


23. Suspicious Azure VM operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Compute/virtualMachines' and OperationName in 
('‘Microsoft.Compute/virtualMachines/write', 'Microsoft.Compute/virtualMachines/delete') 


24. Failed SQL Database access attempts: 
SecurityEvent 
| where EventID == 18456 and LogonType == 


25. Azure AD user password changes: 
AuditLogs 
| where ActivityDisplayName == 'Password reset' and ResultType == 'success' 


26. Account enumeration attempts: 
SecurityEvent 
| where EventID == 4625 and FailureReason == 3221225578 


27. Suspicious Azure Storage operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Storage/storageAccounts' and OperationName in 
('Microsoft.Storage/storageAccounts/write', 'Microsoft.Storage/storageAccounts/delete') 


28. Suspicious PowerShell modules loaded: 
SecurityEvent 
| where EventID == 4104 and (ParentImage contains 'powershell.exe' or Image contains 'powershell.exe') 


29. Failed Exchange mailbox login attempts: 
SecurityEvent 
| where EventID == 4625 and LogonType == 10 


30. Suspicious Azure Key Vault access: 
AuditLogs 
| where ActivityDisplayName == ‘Access granted to Key Vault' and ResultType == 'success' 


31. Unusual VPN logins: 
SecurityEvent 
| where EventID == 4647 and LogonType == 21 


32. Failed RDP login attempts: 
SecurityEvent 
| where EventID == 4625 and LogonType == 10 


33. Suspicious Azure Function operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Web/sites/functions' and OperationName in 
('Microsoft.Web/sites/functions/write', 'Microsoft.Web/sites/functions/delete') 


34. Unusual Azure AD application registrations: 
AuditLogs 
| where ActivityDisplayName == "Add an application’ and ResultType == 'success' 


35. Suspicious network port scans: 
SecurityEvent 
| where EventID == 5156 and Port >= 1 and Port <= 1024 


36. Failed Azure VM login attempts: 

AzureActivity 

| where ResourceType == 'Microsoft.compute/virtualMachines' and OperationName == 
'Microsoft.compute/virtualMachines/login/action' 


37. Unusual Azure NSG rule modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.Network/networkSecurityGroups/securityRules' and 
OperationName in ('Microsoft.Network/networkSecurityGroups/securityRules/write’, 
'Microsoft.Network/networkSecurityGroups/securityRules/delete’) 


38. Unusual Azure AD group modifications: 
AuditLogs 
| where ActivityDisplayName == 'Add member to group' and ResultType == 'success' 


39. Suspicious Azure Data Factory operations: 

AzureActivity 

| where ResourceType == 'Microsoft.DataFactory/factories' and OperationName in 
('Microsoft.DataFactory/factories/write', 'Microsoft.DataFactory/factories/delete') 


40. Unusual Azure Key Vault secret accesses: 
AuditLogs 
| where ActivityDisplayName == 'Get secret' and ResultType == 'success' 


41. Suspicious Azure Logic Apps operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Logic/workflows' and OperationName in 
('Microsoft.Logic/workflows/write', 'Microsoft.Logic/workflows/delete') 


42. Unusual Azure AD role assignments: 
AuditLogs 
| where ActivityDisplayName == "Add role assignment’ and ResultType == 'success' 


43. Suspicious Azure Event Grid operations: 

AzureActivity 

| where ResourceType == 'Microsoft.EventGrid/topics' and OperationName in 
('Microsoft.EventGrid/topics/write', 'Microsoft.EventGrid/topics/delete') 


44. Unusual Azure AD application role assignments: 
AuditLogs 
| where ActivityDisplayName == "Add app role assignment’ and ResultType == 'success' 


45. Suspicious Azure Service Bus operations: 

AzureActivity 

| where ResourceType == 'Microsoft.ServiceBus/namespaces' and OperationName in 
('Microsoft.ServiceBus/namespaces/write', 'Microsoft.ServiceBus/namespaces/delete') 


46. Failed Azure Function execution attempts: 
AzureDiagnostics 
| where Category == 'FunctionAppLogs' and Level == "Error! 


47. Unusual Azure AD guest user additions: 
AuditLogs 
| where ActivityDisplayName == "Invite user and ResultType == 'success' 


48. Suspicious Azure Event Hub operations: 

AzureActivity 

| where ResourceType == 'Microsoft.EventHub/namespaces' and OperationName in 
('Microsoft.EventHub/namespaces/write', 'Microsoft.EventHub/namespaces/delete') 


49. Unusual Azure AD risky sign-ins: 
AuditLogs 
| where ActivityDisplayName == 'Risky sign-in detected’ and ResultType == 'success' 


50. Suspicious Azure loT Hub operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Devices/lotHubs' and OperationName in 
('Microsoft.Devices/lotHubs/write', 'Microsoft.Devices/lotHubs/delete') 


51. Unusual Azure AD administrator role assignments: 
AuditLogs 
| where ActivityDisplayName == "Add member to role’ and ResultType == 'success' 


52. Suspicious Azure Container Registry operations: 

AzureActivity 

| where ResourceType == 'Microsoft.ContainerRegistry/registries' and OperationName in 
('Microsoft.ContainerRegistry/registries/write', 'Microsoft.ContainerRegistry/registries/delete') 


53. Failed Azure Logic App execution attempts: 
AzureDiagnostics 
| where Category == 'LogicAppRuntime' and Level == 'Error' 


54. Unusual Azure AD password reset attempts: 
AuditLogs 
| where ActivityDisplayName == 'Self-service password reset' and ResultType == failure’ 


55. Suspicious Azure Kubernetes Service operations: 

AzureActivity 

| where ResourceType == 'Microsoft.ContainerService/managedClusters' and OperationName in 
('Microsoft.ContainerService/managedClusters/write', 
'Microsoft.ContainerService/managedClusters/delete') 


56. Failed Azure API Management operations: 
AzureDiagnostics 
| where Category == 'ApiManagementGatewayLogs' and Level == "Error 


57. Unusual Azure AD consent grants: 
AuditLogs 
| where ActivityDisplayName == "Grant OAuth2 permissions' and ResultType == 'success' 


58. Suspicious Azure Batch operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Batch/batchAccounts' and OperationName in 
('Microsoft.Batch/batchAccounts/write', 'Microsoft.Batch/batchAccounts/delete') 


59. Failed Azure Monitor Alert actions: 
AzureDiagnostics 
| where Category == 'Platform' and Level == "Error 


60. Unusual Azure AD OAuth application consents: 
AuditLogs 
| where ActivityDisplayName == 'Consent to application’ and ResultType == 'success' 


61. Suspicious Azure HDInsight operations: 

AzureActivity 

| where ResourceType == 'Microsoft.HDInsight/clusters' and OperationName in 
('Microsoft.HDInsight/clusters/write', 'Microsoft.HDInsight/clusters/delete') 


62. Failed Azure Key Vault access attempts: 
AzureDiagnostics 
| where Category == 'KeyVault' and Level == 'Error' 


63. Unusual Azure AD domain role assignments: 
AuditLogs 
| where ActivityDisplayName == "Add member to directory role’ and ResultType == 'success' 


64. Suspicious Azure Media Services operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Media/mediaservices' and OperationName in 
('Microsoft.Media/mediaservices/write', 'Microsoft.Media/mediaservices/delete') 


65. Failed Azure Front Door operations: 
AzureDiagnostics 
| where Category == 'Frontdoor' and Level == 'Error' 


66. Unusual Azure AD B2B guest user additions: 
AuditLogs 
| where ActivityDisplayName == 'Invite guest User! and ResultType == 'success' 


67. Suspicious Azure Machine Learning operations: 

AzureActivity 

| where ResourceType == 'Microsoft.MachineLearningServices/workspaces' and OperationName in 
('Microsoft.MachineLearningServices/workspaces/write’, 
'Microsoft.MachineLearningServices/workspaces/delete') 


68. Failed Azure API Gateway operations: 
AzureDiagnostics 
| where Category == 'ApiManagementGatewayLogs' and Level == 'Error' 


69. Unusual Azure AD B2C user sign-ups: 
AuditLogs 
| where ActivityDisplayName == 'Sign up user! and ResultType == 'success' 


70. Suspicious Azure Managed Identity operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Managedldentity/userAssignedidentities' and OperationName in 
('Microsoft.Managedldentity/userAssignedldentities/write’, 

‘Microsoft. Managedldentity/userAssignedidentities/delete') 


71. Failed Azure Data Factory operations: 
AzureDiagnostics 
| where Category == 'DataFactoryPipelineRuns' and Level == 'Error' 


72. Unusual Azure AD B2C user password resets: 
AuditLogs 
| where ActivityDisplayName == 'Self-service password reset' and ResultType == 'success' 


73. Suspicious Azure CDN operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Cdn/profiles' and OperationName in ('Microsoft.Cdn/profiles/write', 
'Microsoft.Cdn/profiles/delete') 


74. Failed Azure Functions executions: 
AzureDiagnostics 
| where Category == 'FunctionAppLogs' and Level == 'Error' 


75. Unusual Azure AD B2C user profile updates: 
AuditLogs 
| where ActivityDisplayName == "Update user and ResultType == 'success' 


76. Suspicious Azure Logic App runs: 
AzureDiagnostics 
| where Category == 'LogicAppRuns' and Level == 'Error' 


77. Failed Azure Key Vault secret access attempts: 
AzureDiagnostics 
| where Category == 'KeyVault' and Level == 'Error' 


78. Unusual Azure DevOps pipeline modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.DevOps/pipelines' and OperationName in 
('Microsoft.DevOps/pipelines/write', 'Microsoft.DevOps/pipelines/delete') 


79. Suspicious Azure SQL Database operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Sql/servers/databases' and OperationName in 
('Microsoft.Sql/servers/databases/write', 'Microsoft.Sql/servers/databases/delete') 


80. Failed Azure Container Registry operations: 
AzureDiagnostics 
| where Category == 'ContainerRegistry' and Level == 'Error' 


81. Unusual Azure API Management service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiManagement/service' and OperationName in 
('Microsoft.ApiManagement/service/write', 'Microsoft.ApiManagement/service/delete') 


82. Suspicious Azure Cognitive Services operations: 

AzureActivity 

| where ResourceType == 'Microsoft.CognitiveServices/accounts' and OperationName in 
('Microsoft.CognitiveServices/accounts/write’, 'Microsoft.CognitiveServices/accounts/delete') 


83. Failed Azure Batch operations: 
AzureDiagnostics 
| where Category == 'BatchAccountLogs' and Level == 'Error' 


84. Unusual Azure Data Lake operations: 

AzureActivity 

| where ResourceType == 'Microsoft.DataLakeStore/accounts' and OperationName in 
('Microsoft.DataLakeStore/accounts/write', 'Microsoft.DataLakeStore/accounts/delete') 


85. Suspicious Azure Search service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.Search/searchServices' and OperationName in 
('Microsoft.Search/searchServices/write', 'Microsoft.Search/searchServices/delete') 


86. Failed Azure loT Hub operations: 
AzureDiagnostics 
| where Category == 'lotHubD2CLogs' and Level == 'Error' 


87. Unusual Azure Data Explorer (ADX) cluster operations: 
AzureActivity 

| where ResourceType == 'Microsoft.Kusto/clusters' and OperationName in 
('Microsoft.Kusto/clusters/write', 'Microsoft.Kusto/clusters/delete') 


88. Suspicious Azure Cache for Redis operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Cache/redis' and OperationName in ('Microsoft.Cache/redis/write', 
'Microsoft.Cache/redis/delete') 


89. Failed Azure Kubernetes Service operations: 
AzureDiagnostics 
| where Category == 'KubeApiServerAuditLogs' and Level == 'Error' 


90. Unusual Azure Functions executions: 
AzureDiagnostics 
| where Category == 'FunctionAppLogs' and Level == 'Warning' 


91. Suspicious Azure Databricks operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Databricks/workspaces' and OperationName in 
('Microsoft.Databricks/workspaces/write', 'Microsoft.Databricks/workspaces/delete') 


92. Failed Azure API Management service operations: 
AzureDiagnostics 
| where Category == 'ApiManagementGatewayLogs' and Level == 'Warning' 


93. Unusual Azure Bot Service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.BotService/botServices' and OperationName in 
('Microsoft.BotService/botServices/write', 'Microsoft.BotService/botServices/delete') 


94. Suspicious Azure SQL Database operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Sql/servers/databases' and OperationName in 
('Microsoft.Sql/servers/databases/write', 'Microsoft.Sql/servers/databases/delete') 


95. Failed Azure Container Instance operations: 
AzureDiagnostics 
| where Category == 'ContainerlnstanceLogs' and Level == 'Warning' 


96. Unusual Azure API Management API modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiManagement/service/apis' and OperationName in 
(‘Microsoft.ApiManagement/service/apis/write', 'Microsoft.ApiManagement/service/apis/delete') 


97. Suspicious Azure Cognitive Search operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Search/searchServices' and OperationName in 
('Microsoft.Search/searchServices/write', 'Microsoft.Search/searchServices/delete') 


98. Failed Azure Batch operations: 
AzureDiagnostics 
| where Category == 'BatchAccountLogs' and Level == 'Warning' 


99. Unusual Azure Data Factory pipeline executions: 
AzureDiagnostics 
| where Category == 'DataFactoryPipelineRuns' and Level == 'Warning' 


100. Suspicious Azure Notification Hubs operations: 

AzureActivity 

| where ResourceType == 'Microsoft.NotificationHubs/namespaces' and OperationName in 
('Microsoft.NotificationHubs/namespaces/write', "Microsoft NotificationHubs/namespaces/delete') 


101. Failed Azure Event Hubs operations: 
AzureDiagnostics 
| where Category == 'EventHub' and Level == 'Warning' 


102. Unusual Azure Functions executions: 
AzureDiagnostics 
| where Category == 'FunctionAppLogs' and Level == 'Information' 


103. Suspicious Azure HDInsight operations: 

AzureActivity 

| where ResourceType == 'Microsoft.HDInsight/clusters' and OperationName in 
('Microsoft.HDInsight/clusters/write', 'Microsoft.HDInsight/clusters/delete') 


104. Failed Azure Key Vault access attempts: 
AzureDiagnostics 
| where Category == 'KeyVault' and Level == 'Warning' 


105. Unusual Azure Kubernetes Service operations: 

AzureActivity 

| where ResourceType == 'Microsoft.ContainerService/managedClusters' and OperationName in 
('Microsoft.ContainerService/managedClusters/write', 
Microsoft.ContainerService/managedClusters/delete') 


106. Suspicious Azure Logic Apps operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Logic/workflows' and OperationName in 
('Microsoft.Logic/workflows/write', 'Microsoft.Logic/workflows/delete') 


107. Failed Azure Monitor Alert actions: 
AzureDiagnostics 
| where Category == 'Platform' and Level == 'Warning' 


108. Unusual Azure Media Services operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Media/mediaservices' and OperationName in 
('Microsoft.Media/mediaservices/write', 'Microsoft.Media/mediaservices/delete') 


109. Suspicious Azure API Gateway operations: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiGateway/service' and OperationName in 
('Microsoft.ApiGateway/service/write', 'Microsoft.ApiGateway/service/delete’) 


110. Failed Azure Logic App execution attempts: 
AzureDiagnostics 
| where Category == 'LogicAppRuntime' and Level == 'Warning' 


111. Unusual Azure AD password reset attempts: 
AuditLogs 
| where ActivityDisplayName == 'Self-service password reset' and ResultType == ‘failure’ 


112. Suspicious Azure Stream Analytics operations: 

AzureActivity 

| where ResourceType == 'Microsoft.StreamAnalytics/streamingjobs' and OperationName in 
('Microsoft.StreamAnalytics/streamingjobs/write', 'Microsoft.StreamAnalytics/streamingjobs/delete') 


113. Failed Azure SQL Database operations: 
AzureDiagnostics 
| where Category == 'SQLSecurityAuditEvents' and Level == 'Warning' 


114. Unusual Azure AD guest user additions: 
AuditLogs 
| where ActivityDisplayName == 'Invite user' and ResultType == 'success 


115. Suspicious Azure CDN operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Cdn/profiles' and OperationName in ('Microsoft.Cdn/profiles/write', 
'Microsoft.Cdn/profiles/delete') 


116. Failed Azure Monitor Alert actions: 
AzureDiagnostics 
| where Category == 'Platform' and Level == 'Warning' 


117. Unusual Azure AD B2B guest user additions: 
AuditLogs 
| where ActivityDisplayName == 'Invite guest User! and ResultType == 'success' 


118. Suspicious Azure Redis Cache operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Cache/redis' and OperationName in ('Microsoft.Cache/redis/write', 
'Microsoft.Cache/redis/delete') 


119. Failed Azure Front Door operations: 
AzureDiagnostics 


| where Category == 'Frontdoor' and Level == 'Warning' 


120. Unusual Azure AD B2B user sign-ins: 
AuditLogs 
| where ActivityDisplayName == 'B2B user sign-in' and ResultType == 'success' 


121. Suspicious Azure Search service modifications: 


AzureActivity 
| where ResourceType == 'Microsoft.Search/searchServices' and OperationName in 
('Microsoft.Search/searchServices/write', 'Microsoft.Search/searchServices/delete') 


122. Failed Azure Data Lake operations: 
AzureDiagnostics 
| where Category == 'DataLakeStoreLogs' and Level == 'Warning' 


123. Unusual Azure AD B2B user password resets: 


AuditLogs 
| where ActivityDisplayName == 'Self-service password reset’ and ResultType == 'success' 


124. Suspicious Azure Machine Learning operations: 

AzureActivity 

| where ResourceType == 'Microsoft.MachineLearningServices/workspaces' and OperationName in 
('Microsoft.MachineLearningServices/workspaces/write’, 
'Microsoft.MachineLearningServices/workspaces/delete') 


125. Failed Azure API Gateway operations: 
AzureDiagnostics 
| where Category == 'ApiManagementGatewayLogs' and Level == 'Warning' 


126. Unusual Azure AD B2B user profile updates: 


AuditLogs 
| where ActivityDisplayName == 'Update user! and ResultType == 'success' 


127. Suspicious Azure Logic App runs: 
AzureDiagnostics 
| where Category == 'LogicAppRuns' and Level == 'Warning' 


128. Failed Azure Key Vault secret access attempts: 
AzureDiagnostics 
| where Category == 'KeyVault' and Level == 'Warning' 


129. Unusual Azure DevOps pipeline modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.DevOps/pipelines' and OperationName in 
('Microsoft.DevOps/pipelines/write', 'Microsoft.DevOps/pipelines/delete') 


130. Suspicious Azure SQL Database operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Sql/servers/databases' and OperationName in 
('Microsoft.Sql/servers/databases/write', 'Microsoft.Sql/servers/databases/delete') 


131. Failed Azure Container Registry operations: 
AzureDiagnostics 
| where Category == 'ContainerRegistry' and Level == 'Warning' 


132. Unusual Azure API Management service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiManagement/service' and OperationName in 
('Microsoft.ApiManagement/service/write', 'Microsoft.ApiManagement/service/delete') 


133. Suspicious Azure Cognitive Services operations: 

AzureActivity 

| where ResourceType == 'Microsoft.CognitiveServices/accounts' and OperationName in 
('‘Microsoft.CognitiveServices/accounts/write', 'Microsoft.CognitiveServices/accounts/delete') 


134. Failed Azure Batch operations: 
AzureDiagnostics 
| where Category == 'BatchAccountLogs' and Level == 'Warning' 


135. Unusual Azure Data Lake operations: 

AzureActivity 

| where ResourceType == 'Microsoft. DataLakeStore/accounts' and OperationName in 
('Microsoft.DataLakeStore/accounts/write', 'Microsoft.DataLakeStore/accounts/delete') 


136. Suspicious Azure Search service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.Search/searchServices' and OperationName in 
('Microsoft.Search/searchServices/write', 'Microsoft.Search/searchServices/delete') 


137. Failed Azure loT Hub operations: 
AzureDiagnostics 
| where Category == 'lotHubD2CLogs' and Level == 'Warning' 


138. Unusual Azure Data Explorer (ADX) cluster operations: 
AzureActivity 

| where ResourceType == 'Microsoft.Kusto/clusters' and OperationName in 
('Microsoft.Kusto/clusters/write', 'Microsoft.Kusto/clusters/delete') 


139. Suspicious Azure Cache for Redis operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Cache/redis' and OperationName in ('Microsoft.Cache/redis/write', 
'Microsoft.Cache/redis/delete') 


140. Failed Azure Kubernetes Service operations: 
AzureDiagnostics 
| where Category == 'KubeApiServerAuditLogs' and Level == 'Warning' 


141. Unusual Azure Functions executions: 
AzureDiagnostics 
| where Category == 'FunctionAppLogs' and Level == 'Error' 


142. Suspicious Azure Databricks operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Databricks/workspaces' and OperationName in 
('Microsoft.Databricks/workspaces/write', 'Microsoft.Databricks/workspaces/delete') 


143. Failed Azure API Management service operations: 
AzureDiagnostics 
| where Category == 'ApiManagementGatewayLogs' and Level == "Error 


144. Unusual Azure Bot Service modifications: 


AzureActivity 
| where ResourceType == 'Microsoft.BotService/botServices' and OperationName in 
('Microsoft.BotService/botServices/write', 'Microsoft.BotService/botServices/delete') 


145. Suspicious Azure SQL Database operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Sql/servers/databases' and OperationName in 
('Microsoft.Sql/servers/databases/write', 'Microsoft.Sql/servers/databases/delete') 


146. Failed Azure Container Instance operations: 
AzureDiagnostics 
| where Category == 'ContainerlnstanceLogs' and Level == 'Error' 


147. Unusual Azure API Management API modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiManagement/service/apis' and OperationName in 
('Microsoft.ApiManagement/service/apis/write', 'Microsoft.ApiManagement/service/apis/delete') 


148. Suspicious Azure Cognitive Search operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Search/searchServices' and OperationName in 
('Microsoft.Search/searchServices/write', 'Microsoft.Search/searchServices/delete') 


149. Failed Azure Batch operations: 
AzureDiagnostics 
| where Category == 'BatchAccountLogs' and Level == "Error 


150. Unusual Azure Data Factory pipeline executions: 
AzureDiagnostics 
| where Category == 'DataFactoryPipelineRuns' and Level == 'Error' 


151. Suspicious Azure Notification Hubs operations: 

AzureActivity 

| where ResourceType == 'Microsoft.NotificationHubs/namespaces' and OperationName in 
('‘Microsoft.NotificationHubs/namespaces/write', "Microsoft NotificationHubs/namespaces/delete') 


152. Failed Azure Event Hubs operations: 
AzureDiagnostics 
| where Category == 'EventHub' and Level == 'Error' 


153. Unusual Azure Functions executions: 
AzureDiagnostics 
| where Category == 'FunctionAppLogs' and Level == 'Information' 


154. Suspicious Azure HDInsight operations: 

AzureActivity 

| where ResourceType == 'Microsoft.HDInsight/clusters' and OperationName in 
(‘Microsoft.HDInsight/clusters/write', 'Microsoft.HDInsight/clusters/delete') 


155. Failed Azure Key Vault access attempts: 
AzureDiagnostics 
| where Category == 'KeyVault' and Level == 'Error' 


156. Unusual Azure Kubernetes Service operations: 

AzureActivity 

| where ResourceType == 'Microsoft.ContainerService/managedClusters' and OperationName in 
('Microsoft.ContainerService/managedClusters/write', 
'Microsoft.ContainerService/managedClusters/delete') 


157. Suspicious Azure Logic Apps operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Logic/workflows' and OperationName in 
('Microsoft.Logic/workflows/write', 'Microsoft.Logic/workflows/delete') 


158. Failed Azure Monitor Alert actions: 
AzureDiagnostics 
| where Category == 'Platform' and Level == 'Error' 


159. Unusual Azure Media Services operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Media/mediaservices' and OperationName in 
('Microsoft.Media/mediaservices/write', 'Microsoft.Media/mediaservices/delete') 


160. Suspicious Azure API Gateway operations: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiGateway/service' and OperationName in 
('Microsoft.ApiGateway/service/write', 'Microsoft.ApiGateway/service/delete') 


161. Failed Azure Logic App execution attempts: 
AzureDiagnostics 
| where Category == 'LogicAppRuntime' and Level == 'Error' 


162. Unusual Azure AD password reset attempts: 
AuditLogs 
| where ActivityDisplayName == 'Self-service password reset' and ResultType == 'failure' 


163. Suspicious Azure Stream Analytics operations: 

AzureActivity 

| where ResourceType == 'Microsoft.StreamAnalytics/streamingjobs' and OperationName in 
(‘Microsoft.StreamAnalytics/streamingjobs/write', 'Microsoft.StreamAnalytics/streamingjobs/delete') 


164. Failed Azure SQL Database operations: 
AzureDiagnostics 
| where Category == 'SQLSecurityAuditEvents' and Level == "Error! 


165. Unusual Azure AD guest user additions: 
AuditLogs 
| where ActivityDisplayName == 'Invite user! and ResultType == 'success' 


166. Suspicious Azure CDN operations: 


AzureActivity 
| where ResourceType == 'Microsoft.Cdn/profiles' and OperationName in ('Microsoft.Cdn/profiles/write', 
'Microsoft.Cdn/profiles/delete') 


167. Failed Azure Monitor Alert actions: 
AzureDiagnostics 
| where Category == 'Platform' and Level == 'Error' 


168. Unusual Azure AD B2B guest user additions: 
AuditLogs 
| where ActivityDisplayName == 'Invite guest user' and ResultType == 'success' 


169. Suspicious Azure Redis Cache operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Cache/redis' and OperationName in ('Microsoft.Cache/redis/write', 
'Microsoft.Cache/redis/delete') 


170. Failed Azure Front Door operations: 
AzureDiagnostics 
| where Category == 'Frontdoor' and Level == 'Error' 


171. Unusual Azure AD B2B user sign-ins: 
AuditLogs 
| where ActivityDisplayName == 'B2B user sign-in' and ResultType == 'success' 


172. Suspicious Azure Search service modifications: 


AzureActivity 
| where ResourceType == 'Microsoft.Search/searchServices' and OperationName in 
('Microsoft.Search/searchServices/write', 'Microsoft.Search/searchServices/delete') 


173. Failed Azure Data Lake operations: 


AzureDiagnostics 
| where Category == 'DataLakeStoreLogs' and Level == 'Error' 


174. Unusual Azure AD B2B user password resets: 
AuditLogs 
| where ActivityDisplayName == 'Self-service password reset' and ResultType == 'success' 


175. Suspicious Azure Machine Learning operations: 

AzureActivity 

| where ResourceType == 'Microsoft.MachineLearningServices/workspaces' and OperationName in 
('Microsoft.MachineLearningServices/workspaces/write’, 
'Microsoft.MachineLearningServices/workspaces/delete') 


176. Failed Azure API Gateway operations: 
AzureDiagnostics 
| where Category == 'ApiManagementGatewayLogs' and Level == "Error 


177. Unusual Azure AD B2B user profile updates: 


AuditLogs 
| where ActivityDisplayName == 'Update user' and ResultType == 'success 


178. Suspicious Azure Logic App runs: 
AzureDiagnostics 
| where Category == 'LogicAppRuns' and Level == 'Error' 


179. Failed Azure Key Vault secret access attempts: 
AzureDiagnostics 
| where Category == 'KeyVault' and Level == 'Error' 


180. Unusual Azure DevOps pipeline modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.DevOps/pipelines' and OperationName in 
('‘Microsoft.DevOps/pipelines/write', 'Microsoft.DevOps/pipelines/delete') 


181. Suspicious Azure SQL Database operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Sql/servers/databases' and OperationName in 
('Microsoft.Sql/servers/databases/write', 'Microsoft.Sql/servers/databases/delete') 


182. Failed Azure Container Registry operations: 
AzureDiagnostics 
| where Category == 'ContainerRegistry' and Level == 'Error' 


183. Unusual Azure API Management service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiManagement/service' and OperationName in 
('Microsoft.ApiManagement/service/write', 'Microsoft.ApiManagement/service/delete') 


184. Suspicious Azure Cognitive Services operations: 

AzureActivity 

| where ResourceType == 'Microsoft.CognitiveServices/accounts' and OperationName in 
('Microsoft.CognitiveServices/accounts/write’, 'Microsoft.CognitiveServices/accounts/delete') 


185. Failed Azure Batch operations: 
AzureDiagnostics 
| where Category == 'BatchAccountLogs' and Level == 'Error' 


186. Unusual Azure Data Lake operations: 

AzureActivity 

| where ResourceType == 'Microsoft. DataLakeStore/accounts' and OperationName in 
('Microsoft.DataLakeStore/accounts/write', 'Microsoft.DataLakeStore/accounts/delete') 


187. Suspicious Azure Search service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.Search/searchServices' and OperationName in 
('Microsoft.Search/searchServices/write', 'Microsoft.Search/searchServices/delete') 


188. Failed Azure loT Hub operations: 
AzureDiagnostics 
| where Category == 'lotHubD2CLogs' and Level == "Error 


189. Unusual Azure Data Explorer (ADX) cluster operations: 
AzureActivity 

| where ResourceType == 'Microsoft.Kusto/clusters' and OperationName in 
('Microsoft.Kusto/clusters/write', 'Microsoft.Kusto/clusters/delete') 


190. Suspicious Azure Cache for Redis operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Cache/redis' and OperationName in ('Microsoft.Cache/redis/write', 
'Microsoft.Cache/redis/delete') 


191. Failed Azure Kubernetes Service operations: 
AzureDiagnostics 
| where Category == 'KubeApiServerAuditLogs' and Level == 'Error' 


192. Unusual Azure Functions executions: 
AzureDiagnostics 
| where Category == 'FunctionAppLogs' and Level == 'Warning' 


193. Suspicious Azure Databricks operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Databricks/workspaces' and OperationName in 
('Microsoft.Databricks/workspaces/write', 'Microsoft.Databricks/workspaces/delete') 


194. Failed Azure API Management service operations: 
AzureDiagnostics 
| where Category == 'ApiManagementGatewayLogs' and Level == 'Warning' 


195. Unusual Azure Bot Service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.BotService/botServices' and OperationName in 
('‘Microsoft.BotService/botServices/write', 'Microsoft.BotService/botServices/delete') 


196. Suspicious Azure SQL Database operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Sql/servers/databases' and OperationName in 
('Microsoft.Sql/servers/databases/write', 'Microsoft.Sql/servers/databases/delete') 


197. Failed Azure Container Instance operations: 
AzureDiagnostics 
| where Category == 'ContainerlnstanceLogs' and Level == 'Warning' 


198. Unusual Azure API Management API modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiManagement/service/apis' and OperationName in 
('Microsoft.ApiManagement/service/apis/write', 'Microsoft.ApiManagement/service/apis/delete') 


199. Suspicious Azure Cognitive Search operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Search/searchServices' and OperationName in 
('Microsoft.Search/searchServices/write', 'Microsoft.Search/searchServices/delete') 


200. Failed Azure Batch operations: 
AzureDiagnostics 
| where Category == 'BatchAccountLogs' and Level == 'Warning' 


201. Unusual Azure Data Factory pipeline executions: 
AzureDiagnostics 
| where Category == 'DataFactoryPipelineRuns' and Level == 'Warning' 


202. Suspicious Azure Notification Hubs operations: 

AzureActivity 

| where ResourceType == 'Microsoft.NotificationHubs/namespaces' and OperationName in 
('Microsoft.NotificationHubs/namespaces/write', "Microsoft NotificationHubs/namespaces/delete') 


203. Failed Azure Event Hubs operations: 
AzureDiagnostics 
| where Category == 'EventHub' and Level == 'Warning' 


204. Unusual Azure Functions executions: 
AzureDiagnostics 


| where Category == 'FunctionAppLogs' and Level == 'Information' 


205. Suspicious Azure HDInsight operations: 

AzureActivity 

| where ResourceType == 'Microsoft.HDInsight/clusters' and OperationName in 
('Microsoft.HDInsight/clusters/write', 'Microsoft.HDInsight/clusters/delete') 


206. Failed Azure Key Vault access attempts: 
AzureDiagnostics 
| where Category == 'KeyVault' and Level == 'Warning' 


207. Unusual Azure Kubernetes Service operations: 

AzureActivity 

| where ResourceType == 'Microsoft.ContainerService/managedClusters' and OperationName in 
('Microsoft.ContainerService/managedClusters/write', 
'Microsoft.ContainerService/managedClusters/delete') 


208. Suspicious Azure Logic Apps operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Logic/workflows' and OperationName in 
('Microsoft.Logic/workflows/write', 'Microsoft.Logic/workflows/delete') 


209. Failed Azure Monitor Alert actions: 
AzureDiagnostics 
| where Category == 'Platform' and Level == 'Warning' 


210. Unusual Azure Media Services operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Media/mediaservices' and OperationName in 
('Microsoft.Media/mediaservices/write', 'Microsoft.Media/mediaservices/delete') 


211. Suspicious Azure API Gateway operations: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiGateway/service' and OperationName in 
('Microsoft.ApiGateway/service/write', 'Microsoft.ApiGateway/service/delete') 


212. Failed Azure Logic App execution attempts: 
AzureDiagnostics 
| where Category == 'LogicAppRuntime' and Level == 'Warning' 


213. Unusual Azure AD password reset attempts: 
AuditLogs 
| where ActivityDisplayName == 'Self-service password reset' and ResultType == 'failure' 


214. Suspicious Azure Stream Analytics operations: 

AzureActivity 

| where ResourceType == 'Microsoft.StreamAnalytics/streamingjobs' and OperationName in 
(‘Microsoft.StreamAnalytics/streamingjobs/write', 'Microsoft.StreamAnalytics/streamingjobs/delete') 


215. Failed Azure SQL Database operations: 
AzureDiagnostics 
| where Category == 'SQLSecurityAuditEvents' and Level == 'Warning' 


216. Unusual Azure AD guest user additions: 
AuditLogs 
| where ActivityDisplayName == 'Invite user and ResultType == 'success' 


217. Suspicious Azure CDN operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Cdn/profiles' and OperationName in ('Microsoft.Cdn/profiles/write', 
'Microsoft.Cdn/profiles/delete') 


218. Failed Azure Monitor Alert actions: 
AzureDiagnostics 
| where Category == 'Platform' and Level == 'Warning' 


219. Unusual Azure AD B2B guest user additions: 
AuditLogs 
| where ActivityDisplayName == 'Invite guest user' and ResultType == 'success' 


220. Suspicious Azure Redis Cache operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Cache/redis' and OperationName in ('Microsoft.Cache/redis/write', 
'Microsoft.Cache/redis/delete') 


221. Failed Azure Front Door operations: 
AzureDiagnostics 
| where Category == 'Frontdoor' and Level == 'Warning' 


222. Unusual Azure AD B2B user sign-ins: 
AuditLogs 
| where ActivityDisplayName == 'B2B user sign-in' and ResultType == 'success' 


223. Suspicious Azure Search service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.Search/searchServices' and OperationName in 
('Microsoft.Search/searchServices/write', 'Microsoft.Search/searchServices/delete') 


224. Failed Azure Data Lake operations: 
AzureDiagnostics 
| where Category == 'DataLakeStoreLogs' and Level == 'Warning' 


225. Unusual Azure AD B2B user password resets: 
AuditLogs 
| where ActivityDisplayName == 'Self-service password reset’ and ResultType == 'success' 


226. Suspicious Azure Machine Learning operations: 

AzureActivity 

| where ResourceType == 'Microsoft.MachineLearningServices/workspaces' and OperationName in 
('Microsoft.MachineLearningServices/workspaces/write’, 
'Microsoft.MachineLearningServices/workspaces/delete') 


227. Failed Azure API Gateway operations: 
AzureDiagnostics 
| where Category == 'ApiManagementGatewayLogs' and Level == 'Warning' 


228. Unusual Azure AD B2B user profile updates: 
AuditLogs 
| where ActivityDisplayName == 'Update user! and ResultType == 'success' 


229. Suspicious Azure Logic App runs: 
AzureDiagnostics 
| where Category == 'LogicAppRuns' and Level == 'Warning' 


230. Failed Azure Key Vault secret access attempts: 
AzureDiagnostics 
| where Category == 'KeyVault' and Level == 'Warning' 


231. Unusual Azure DevOps pipeline modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.DevOps/pipelines' and OperationName in 
('Microsoft.DevOps/pipelines/write', 'Microsoft.DevOps/pipelines/delete') 


232. Suspicious Azure SQL Database operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Sql/servers/databases' and OperationName in 
('Microsoft.Sql/servers/databases/write', 'Microsoft.Sql/servers/databases/delete') 


233. Failed Azure Container Registry operations: 
AzureDiagnostics 
| where Category == 'ContainerRegistry' and Level == 'Warning' 


234. Unusual Azure API Management service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiManagement/service' and OperationName in 
('Microsoft.ApiManagement/service/write', 'Microsoft.ApiManagement/service/delete') 


235. Suspicious Azure Cognitive Services operations: 

AzureActivity 

| where ResourceType == 'Microsoft.CognitiveServices/accounts' and OperationName in 
('Microsoft.CognitiveServices/accounts/write’, 'Microsoft.CognitiveServices/accounts/delete') 


236. Failed Azure Batch operations: 
AzureDiagnostics 
| where Category == 'BatchAccountLogs' and Level == 'Warning' 


237. Unusual Azure Data Lake operations: 

AzureActivity 

| where ResourceType == 'Microsoft. DataLakeStore/accounts' and OperationName in 
('Microsoft.DataLakeStore/accounts/write', 'Microsoft.DataLakeStore/accounts/delete') 


238. Suspicious Azure Search service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.Search/searchServices' and OperationName in 
('Microsoft.Search/searchServices/write', 'Microsoft.Search/searchServices/delete') 


239. Failed Azure loT Hub operations: 
AzureDiagnostics 
| where Category == 'lotHubD2CLogs' and Level == 'Warning' 


240. Unusual Azure Data Explorer (ADX) cluster operations: 
AzureActivity 

| where ResourceType == 'Microsoft.Kusto/clusters' and OperationName in 
('Microsoft.Kusto/clusters/write', 'Microsoft.Kusto/clusters/delete') 


241. Suspicious Azure Cache for Redis operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Cache/redis' and OperationName in ('Microsoft.Cache/redis/write', 
'Microsoft.Cache/redis/delete') 


242. Failed Azure Kubernetes Service operations: 
AzureDiagnostics 
| where Category == 'KubeApiServerAuditLogs' and Level == 'Warning' 


243. Unusual Azure Functions executions: 
AzureDiagnostics 
| where Category == 'FunctionAppLogs' and Level == 'Error' 


244. Suspicious Azure Databricks operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Databricks/workspaces' and OperationName in 
('Microsoft.Databricks/workspaces/write', 'Microsoft.Databricks/workspaces/delete') 


245. Failed Azure API Management service operations: 
AzureDiagnostics 
| where Category == 'ApiManagementGatewayLogs' and Level == 'Error' 


246. Unusual Azure Bot Service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.BotService/botServices' and OperationName in 
('Microsoft.BotService/botServices/write', 'Microsoft.BotService/botServices/delete') 


247. Suspicious Azure SQL Database operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Sql/servers/databases' and OperationName in 
('Microsoft.Sql/servers/databases/write', 'Microsoft.Sql/servers/databases/delete') 


248. Failed Azure Container Instance operations: 
AzureDiagnostics 
| where Category == 'ContainerlnstanceLogs' and Level == 'Error' 


249. Unusual Azure API Management API modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiManagement/service/apis' and OperationName in 
(‘Microsoft.ApiManagement/service/apis/write', 'Microsoft.ApiManagement/service/apis/delete') 


250. Suspicious Azure Cognitive Search operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Search/searchServices' and OperationName in 
('Microsoft.Search/searchServices/write', 'Microsoft.Search/searchServices/delete') 


251. Failed Azure Batch operations: 
AzureDiagnostics 
| where Category == 'BatchAccountLogs' and Level == 'Error' 


252. Unusual Azure Data Factory pipeline executions: 
AzureDiagnostics 
| where Category == 'DataFactoryPipelineRuns' and Level == 'Error' 


253. Suspicious Azure Notification Hubs operations: 

AzureActivity 

| where ResourceType == 'Microsoft.NotificationHubs/namespaces' and OperationName in 
('Microsoft.NotificationHubs/namespaces/write', "Microsoft NotificationHubs/namespaces/delete') 


254. Failed Azure Event Hubs operations: 
AzureDiagnostics 
| where Category == 'EventHub' and Level == 'Error' 


255. Unusual Azure Functions executions: 
AzureDiagnostics 
| where Category == 'FunctionAppLogs' and Level == 'Warning' 


256. Suspicious Azure HDInsight operations: 

AzureActivity 

| where ResourceType == 'Microsoft.HDInsight/clusters' and OperationName in 
('Microsoft.HDInsight/clusters/write', 'Microsoft.HDInsight/clusters/delete') 


257. Failed Azure Key Vault access attempts: 
AzureDiagnostics 
| where Category == 'KeyVault' and Level == 'Error' 


258. Unusual Azure Kubernetes Service operations: 

AzureActivity 

| where ResourceType == 'Microsoft.ContainerService/managedClusters' and OperationName in 
('Microsoft.ContainerService/managedClusters/write', 
'Microsoft.ContainerService/managedClusters/delete') 


259. Suspicious Azure Logic Apps operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Logic/workflows' and OperationName in 
('Microsoft.Logic/workflows/write', 'Microsoft.Logic/workflows/delete') 


260. Failed Azure Monitor Alert actions: 
AzureDiagnostics 
| where Category == 'Platform' and Level == "Error 


261. Unusual Azure Media Services operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Media/mediaservices' and OperationName in 
('Microsoft.Media/mediaservices/write', 'Microsoft.Media/mediaservices/delete') 


262. Suspicious Azure API Gateway operations: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiGateway/service' and OperationName in 
(‘Microsoft.ApiGateway/service/write', 'Microsoft.ApiGateway/service/delete') 


263. Failed Azure Logic App execution attempts: 
AzureDiagnostics 
| where Category == 'LogicAppRuntime’ and Level == 'Error' 


264. Unusual Azure AD password reset attempts: 
AuditLogs 
| where ActivityDisplayName == 'Self-service password reset' and ResultType == 'failure' 


265. Suspicious Azure Stream Analytics operations: 

AzureActivity 

| where ResourceType == 'Microsoft.StreamAnalytics/streamingjobs' and OperationName in 
('Microsoft.StreamAnalytics/streamingjobs/write', 'Microsoft.StreamAnalytics/streamingjobs/delete') 


266. Failed Azure SQL Database operations: 
AzureDiagnostics 
| where Category == 'SQLSecurityAuditEvents' and Level == "Error! 


267. Unusual Azure AD guest user additions: 
AuditLogs 
| where ActivityDisplayName == 'Invite user! and ResultType == 'success' 


268. Suspicious Azure CDN operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Cdn/profiles' and OperationName in ('Microsoft.Cdn/profiles/write', 
'Microsoft.Cdn/profiles/delete') 


269. Failed Azure Monitor Alert actions: 
AzureDiagnostics 
| where Category == 'Platform' and Level == "Error 


270. Unusual Azure AD B2B guest user additions: 
AuditLogs 
| where ActivityDisplayName == 'Invite guest User! and ResultType == 'success' 


271. Suspicious Azure Redis Cache operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Cache/redis' and OperationName in ('Microsoft.Cache/redis/write', 
'Microsoft.Cache/redis/delete') 


272. Failed Azure Front Door operations: 
zureDiagnostics 
| where Category == 'Frontdoor' and Level == 'Error' 


273. Unusual Azure AD B2B user sign-ins: 
AuditLogs 
| where ActivityDisplayName == 'B2B user sign-in' and ResultType == 'success' 


274. Suspicious Azure Search service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.Search/searchServices' and OperationName in 
('Microsoft.Search/searchServices/write', 'Microsoft.Search/searchServices/delete') 


275. Failed Azure Data Lake operations: 
AzureDiagnostics 
| where Category == 'DataLakeStoreLogs' and Level == 'Error' 


276. Unusual Azure AD B2B user password resets: 
AuditLogs 
| where ActivityDisplayName == 'Self-service password reset' and ResultType == 'success' 


277. Suspicious Azure Machine Learning operations: 

AzureActivity 

| where ResourceType == 'Microsoft.MachineLearningServices/workspaces' and OperationName in 
('Microsoft.MachineLearningServices/workspaces/write’, 
'Microsoft.MachineLearningServices/workspaces/delete') 


278. Failed Azure API Gateway operations: 
AzureDiagnostics 
| where Category == 'ApiManagementGatewayLogs' and Level == "Error 


279. Unusual Azure AD B2B user profile updates: 
AuditLogs 
| where ActivityDisplayName == "Update user and ResultType == 'success' 


280. Suspicious Azure Logic App runs: 
AzureDiagnostics 
| where Category == 'LogicAppRuns' and Level == 'Error' 


281. Failed Azure Key Vault secret access attempts: 
AzureDiagnostics 
| where Category == 'KeyVault' and Level == "Error 


282. Unusual Azure DevOps pipeline modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.DevOps/pipelines' and OperationName in 
('Microsoft.DevOps/pipelines/write', 'Microsoft.DevOps/pipelines/delete') 


283. Suspicious Azure SQL Database operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Sql/servers/databases' and OperationName in 
('Microsoft.Sql/servers/databases/write', 'Microsoft.Sql/servers/databases/delete') 


284. Failed Azure Container Registry operations: 
AzureDiagnostics 
| where Category == 'ContainerRegistry' and Level == 'Error' 


285. Unusual Azure API Management service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiManagement/service' and OperationName in 
('Microsoft.ApiManagement/service/write', 'Microsoft.ApiManagement/service/delete’) 


286. Suspicious Azure Cognitive Services operations: 

AzureActivity 

| where ResourceType == 'Microsoft.CognitiveServices/accounts' and OperationName in 
('Microsoft.CognitiveServices/accounts/write’, 'Microsoft.CognitiveServices/accounts/delete') 


287. Failed Azure Batch operations: 
AzureDiagnostics 
| where Category == 'BatchAccountLogs' and Level == 'Error' 


288. Unusual Azure Data Lake operations: 

AzureActivity 

| where ResourceType == 'Microsoft. DataLakeStore/accounts' and OperationName in 
('Microsoft.DataLakeStore/accounts/write', 'Microsoft.DataLakeStore/accounts/delete') 


289. Suspicious Azure Search service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.Search/searchServices' and OperationName in 
('Microsoft.Search/searchServices/write', 'Microsoft.Search/searchServices/delete') 


290. Failed Azure loT Hub operations: 
AzureDiagnostics 
| where Category == 'lotHubD2CLogs' and Level == 'Error' 


291. Unusual Azure Data Explorer (ADX) cluster operations: 
AzureActivity 

| where ResourceType == 'Microsoft.Kusto/clusters' and OperationName in 
('Microsoft.Kusto/clusters/write', 'Microsoft.Kusto/clusters/delete') 


292. Suspicious Azure Cache for Redis operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Cache/redis' and OperationName in ('Microsoft.Cache/redis/write', 
'Microsoft.Cache/redis/delete') 


293. Failed Azure Kubernetes Service operations: 
AzureDiagnostics 
| where Category == 'KubeApiServerAuditLogs' and Level == 'Error' 


294. Unusual Azure Functions executions: 
AzureDiagnostics 
| where Category == 'FunctionAppLogs' and Level == 'Error' 


295. Suspicious Azure Databricks operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Databricks/workspaces' and OperationName in 
('Microsoft.Databricks/workspaces/write', 'Microsoft.Databricks/workspaces/delete') 


296. Failed Azure AP! Management service operations: 
AzureDiagnostics 
| where Category == 'ApiManagementGatewayLogs' and Level == "Error 


297. Unusual Azure Bot Service modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.BotService/botServices' and OperationName in 
('Microsoft.BotService/botServices/write', 'Microsoft.BotService/botServices/delete') 


298. Suspicious Azure SQL Database operations: 

AzureActivity 

| where ResourceType == 'Microsoft.Sql/servers/databases' and OperationName in 
('Microsoft.Sql/servers/databases/write', 'Microsoft.Sql/servers/databases/delete') 


299. Failed Azure Container Instance operations: 
AzureDiagnostics 
| where Category == 'ContainerlnstanceLogs' and Level == 'Error' 


300. Unusual Azure API Management API modifications: 

AzureActivity 

| where ResourceType == 'Microsoft.ApiManagement/service/apis' and OperationName in 
('Microsoft.ApiManagement/service/apis/write', 'Microsoft.ApiManagement/service/apis/delete') 


Important Note: Monitor and analyze various activities in Azure Sentinel. Also adjust the KQL queries 
based on your specific configuration and naming conventions. 


